The MCALLEN Case: Computer Intrusions Confirmed


The following is the 8th in a series of excerpts from my New York Times bestseller “Stonewalled,” which recounts the government intrusions of my computers. More excerpts to follow.[hr]

| THE MCALLEN CASE

The MCALLEN Case begins on February 2, 2013.
We’re expecting snow on a chilly Saturday in Northern Virginia.
The doorbell rings and I greet the very businesslike Jerry Patel [not his real name], the private computer forensics analyst hired by Isham at CBS. Patel is doing CBS a favor by coming here. I haven’t shared many details with him and I can tell at the outset he doesn’t really expect to find anything significant. He thinks he’s here to put my mind at ease. To assure me that the strange goings-on with my computers aren’t the work of any intruder. Maybe just ordinary malware, a nagging virus, or a glitch.

[hr]Support the Attkisson v. DOJ/FBI Fourth Amendment Litigation Fund to fight the government computer intrusions[hr]

I begin with niceties but none are necessary. Patel patiently tolerates the introduction before asking to be directed to the star of the show: my computers. I lead him upstairs into my bedroom and adjacent office. At night, this entire area becomes my workspace. My husband knows that when I’m on an important story, this is the business space until one or two in the morning. Forget about lights out.

Patel sits on the couch in my bedroom and unlocks a briefcase full of gear like a high-tech handyman. He tells me he’s given this job a code name: The MCALLEN Case. I give a brief summary of what’s been going on. Then he opens up the CBS News laptop and begins deconstructing the files. He transforms the user-friendly format of my Toshiba Windows into a baffling screen full of lines punctuated by brackets, forward slashes, and question marks. He looks in places that most of us have no idea exist in our computers. I’m practically breathing down his neck as I watch his fingers dance along the keyboard and his eyes scan one line after another. As the hours pass and my mind gets accustomed to looking at the gibberish, it almost begins to make sense to me.

[hr]Read excerpt #1 here: The Computer Intrusions: Up at Night
#2: Big Brother: First Warnings
#3: The Computer Intrusions: Disappearing Act
#4: The Incredible, Elusive “Verizon Man”
#5: I Spy: The Government’s Secrets
#6: Computer Intrusions: The Discovery
#7: Notifying CBS About the Government Computer Intrusions [hr]

Other than a few “nonstandard” observations, the process is frankly pretty mundane. That is, until the date of December 9, 2012, surfaces. That was the time frame when I noticed that my computers had stopped freelancing on me.

“It looks like what we’re seeing here is a log-in attempt at 4:20, approximately 4:20 and three seconds in the morning on December 9, 2012.”

His voice has escalated from the soft monotone to somewhat expressive for the first time on the visit. I wasn’t the one who attempted to log in at 4:20 in the morning. Patel spots another suspect message on December 12, 2012.

“What’s unusual is audit policy changes.”

He tells me that someone with administrative privileges, not me, has taken action in my computer. His voice becomes excited.

“Someone changed the audit policy at 8:48 in the morning . . . your computer rebooted at one o’clock in the morning. . . . So we’ll go backwards. Here we go. December 11 we’re back at the time in question. 4:05 [a.m.] . . . all right.”

I don’t know how to interpret what he’s saying but I’m following along as he points to the lines on the screen.

“But you see . . .” he says, pointing to 4:05 a.m.

“There’s nothing there . . .” I observe.

“Oh boy.”

“What does that mean?”

“Ohhh boy. Look at the difference. December 10, 5:00:50 seconds. December 11th. Someone removed 24 hours.”

He exhales, makes a whoosh noise, and summarizes.

“We have evidence that shows 24 hours, 23 hours of log messages have been removed. That’s suspicious behavior.”

[hr]A diverse group of Constitutional free press and privacy advocates is supporting Attkisson v. Dept. of Justice/FBI to fight the government computer intrusions. Click here to support.[hr]

Now he’s breathing heavily. It alarms me because it alarms him and he’s not easily alarmed. His voice becomes more formal and he launches into what sounds like a speech for posterity.

“In my professional opinion, someone has accessed this box. I’m going to be honest with you. I was hoping you weren’t infected. But . . . I see evidence that shows a deliberate and skilled attempt to clean the log files of activity.

“Approximately 23 hours . . . 22 hours, 55 minutes of log messages have been removed. That is extremely nonstandard, especially considering the act of clearing a log is a log message in and of itself. So I am now going to concur with . . . I’m starting to concur with your suspicions.”

His findings are lining up with what my earlier analysis found.

“Well, I suppose this visit wasn’t for nothing then,” he says. Deeper offsite analysis will be required.

It’s dusk and the clouds are heavy with impending snow. Patel has been here six hours now and needs to head back to town to meet friends for dinner. Before he leaves, he wants to take a quick look at my personal Apple iMac desktop computer. Since his time is short, I ask him to go straight to December 9 on the iMac, too. If the intruders removed evidence of their presence from my laptop around that time, they might have tried to cover their tracks on the iMac desktop as well. Within a few minutes, it’s confirmed.

“Oh shit!” The high-tech handyman is now fully animated. “Par- don my French but . . .”

“That’s gone, too?” I say, looking over his shoulder.

“That’s now a pattern . . . We have a gap,” Patel reports in the official posterity voice.

“A second gap from December 8, 2012, 10:12:11 p.m. to December 9, 2012, 3:18:39 p.m. That’s not normal. Someone did that to your computer. Two separate instances showing the same MO. That shows knowledge of the event logging and it shows skill. Somebody’s deleting days of messages . . . That shows skill.”

He then searches through what he says is a key file.

“It should be bigger than that. It should be huge. Somebody deleted the file on December 11. It’s not supposed to be like that. It’s supposed to have lots of data in it and it doesn’t.”

“So what does that mean?” I ask.

“Someone was covering their tracks.” Long exhale.

“So they would’ve done that remotely? ’Cause no one’s been in the
house.”

“Yeah. We’re examining the last log. And we have a deletion
wtemp log that actually begins Saturday, December 11. Suggests the log was deleted on that day.”

He proposes conducting further analysis at his office. But he tells me at the outset that he doesn’t think he’ll be able to attribute the intrusion to the guilty party. He can already see that from his cursory analysis. They’re too sophisticated, he tells me. Too skilled. This is far beyond the abilities of even the best nongovernment hackers. They’ll have covered their tracks.

It’s snowing now. And dark. Patel remarks that sometimes his computer forensics job is a little dull. But the MCALLEN Case is not. He rushes off to meet his friends, leaving me and my compro- mised computers. I look out the window and watch his headlights track down my long driveway and down the road until they disappear.

What now? As someone who’s usually constantly online, I don’t much feel like working on my computers tonight.

Two days later, Patel sends an email to Isham and copies me. I hear his voice in my mind as I read his words.

“It is my professional opinion that a coordinated action (or series of actions) have taken place. I don’t wish to go into details because the integrity of email is now in question. . . . It bothers me that I was not able to leave Sharyl with an increased sense of security Saturday evening, but hopefully we can all work together to remedy this ASAP.”

[hr]To be continued…[hr]

Support the Attkisson v. DOJ/FBI Fourth Amendment Litigation Fund to fight the government computer intrusions[hr]


Leave a Comment

Your email address will not be published. Required fields are marked *

4 thoughts on “The MCALLEN Case: Computer Intrusions Confirmed”

  1. This is a chilling series of posts…and truly Orwellian.
    How frightening to go thru such
    actions at the hands of your own government.
    I now have to have the entire book to read..going on my Christmas wish list!
    Thank you, Sharyl, for your diligence and quality journalism.

Scroll to Top